From 17e102d914a59cfff8962dfb9ca363682cc288c8 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 1 Aug 2018 19:45:09 -0700 Subject: [PATCH 1/6] Fixes for asio build options (so includes OPENSSL_EXTRA). Fix for bad named variable `shutdown`. Fix for the side size in Options struct to support `WOLFSSL_SIDE_NEITHER` (3). Fix to set the side on wolfSS_connect() or wolfSS_accept(). --- configure.ac | 7 ++++--- src/ssl.c | 30 ++++++++++++++++++++---------- wolfssl/internal.h | 2 +- 3 files changed, 25 insertions(+), 14 deletions(-) diff --git a/configure.ac b/configure.ac index b3510c4a2..e50956bf1 100644 --- a/configure.ac +++ b/configure.ac @@ -3069,14 +3069,15 @@ AC_ARG_ENABLE([asio], ) if test "$ENABLED_ASIO" = "yes" then - # Requires opensslall make sure on + # Requires opensslextra and opensslall if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" then ENABLED_OPENSSLALL="yes" - AM_CFLAGS="-DOPENSSL_ALL $AM_CFLAGS" + ENABLED_OPENSSLEXTRA="yes" + AM_CFLAGS="-DOPENSSL_EXTRA -DOPENSSL_ALL $AM_CFLAGS" fi AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASIO -DASIO_USE_WOLFSSL -DWOLFSSL_KEY_GEN" - AM_CFLAGS="$AM_CFLAGS -DBOOST_ASIO_USE_WOLFSSL" + AM_CFLAGS="$AM_CFLAGS -DBOOST_ASIO_USE_WOLFSSL -DHAVE_EX_DATA" AM_CFLAGS="$AM_CFLAGS -DSSL_TXT_TLSV1_2 -DSSL_TXT_TLSV1_1" AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3" if test "$ENABLED_TLSV10" = "yes" diff --git a/src/ssl.c b/src/ssl.c index 7e19734cc..755cbcbc9 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -248,7 +248,7 @@ WOLFSSL_CTX* wolfSSL_CTX_new_ex(WOLFSSL_METHOD* method, void* heap) { WOLFSSL_CTX* ctx = NULL; - WOLFSSL_ENTER("WOLFSSL_CTX_new_ex"); + WOLFSSL_ENTER("wolfSSL_CTX_new_ex"); if (initRefCount == 0) { /* user no longer forced to call Init themselves */ @@ -8739,12 +8739,16 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl == NULL) return BAD_FUNC_ARG; - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_ST_CONNECT, SSL_SUCCESS); - ssl->cbmode = SSL_CB_WRITE; - } - #endif + #ifdef OPENSSL_EXTRA + if (ssl->options.side == WOLFSSL_NEITHER_END) { + ssl->options.side = WOLFSSL_CLIENT_END; + } + + if (ssl->CBIS != NULL) { + ssl->CBIS(ssl, SSL_ST_CONNECT, SSL_SUCCESS); + ssl->cbmode = SSL_CB_WRITE; + } + #endif if (ssl->options.side != WOLFSSL_CLIENT_END) { WOLFSSL_ERROR(ssl->error = SIDE_ERROR); return WOLFSSL_FATAL_ERROR; @@ -9125,6 +9129,12 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif (void)haveMcast; + #ifdef OPENSSL_EXTRA + if (ssl->options.side == WOLFSSL_NEITHER_END) { + ssl->options.side = WOLFSSL_SERVER_END; + } + #endif + if (ssl->options.side != WOLFSSL_SERVER_END) { WOLFSSL_ERROR(ssl->error = SIDE_ERROR); return WOLFSSL_FATAL_ERROR; @@ -15444,17 +15454,17 @@ void wolfSSL_set_connect_state(WOLFSSL* ssl) int wolfSSL_get_shutdown(const WOLFSSL* ssl) { - int shutdown = 0; + int isShutdown = 0; WOLFSSL_ENTER("wolfSSL_get_shutdown"); if (ssl) { /* in OpenSSL, WOLFSSL_SENT_SHUTDOWN = 1, when closeNotifySent * * WOLFSSL_RECEIVED_SHUTDOWN = 2, from close notify or fatal err */ - shutdown = ((ssl->options.closeNotify||ssl->options.connReset) << 1) + isShutdown = ((ssl->options.closeNotify||ssl->options.connReset) << 1) | (ssl->options.sentNotify); } - return shutdown; + return isShutdown; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ab96ac799..a3a8af56f 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3105,7 +3105,7 @@ typedef struct Options { #ifdef HAVE_EXT_CACHE word16 internalCacheOff:1; #endif - word16 side:1; /* client or server end */ + word16 side:2; /* client, server or neither end */ word16 verifyPeer:1; word16 verifyNone:1; word16 failNoCert:1; From eca64717be0db135926ebb7a05e05c0b304420cf Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 2 Aug 2018 13:05:32 -0700 Subject: [PATCH 2/6] Fix for `BIO_wpending` to work correctly. --- src/bio.c | 33 ++++++++++++++++++++++++++++----- wolfssl/openssl/ssl.h | 3 ++- wolfssl/ssl.h | 1 + 3 files changed, 31 insertions(+), 6 deletions(-) diff --git a/src/bio.c b/src/bio.c index a6b2d0174..dc067f599 100644 --- a/src/bio.c +++ b/src/bio.c @@ -499,7 +499,6 @@ int wolfSSL_BIO_write(WOLFSSL_BIO* bio, const void* data, int len) } -/*** TBD ***/ WOLFSSL_API long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bio, int cmd, long larg, void *parg) { (void)bio; @@ -507,8 +506,8 @@ WOLFSSL_API long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bio, int cmd, long larg, void *pa (void)larg; (void)parg; - WOLFSSL_ENTER("BIO_ctrl"); - return 1; + WOLFSSL_STUB("BIO_ctrl"); + return 0; } @@ -688,6 +687,31 @@ WOLFSSL_BIO* wolfSSL_BIO_next(WOLFSSL_BIO* bio) return bio->next; } +/* BIO_wpending returns the number of bytes pending to be written. */ +size_t wolfSSL_BIO_wpending(const WOLFSSL_BIO *bio) +{ + WOLFSSL_ENTER("BIO_wpending"); + + if (bio == NULL) + return 0; + + if (bio->ssl != NULL) { + return (long)wolfSSL_pending(bio->ssl); + } + + if (bio->type == WOLFSSL_BIO_MEMORY) { + return bio->wrSz; + } + + /* type BIO_BIO then check paired buffer */ + if (bio->type == WOLFSSL_BIO_BIO && bio->pair != NULL) { + WOLFSSL_BIO* pair = bio->pair; + return pair->wrIdx; + } + + return 0; + +} /* Return the number of pending bytes in read and write buffers */ size_t wolfSSL_BIO_ctrl_pending(WOLFSSL_BIO *bio) @@ -741,14 +765,13 @@ long wolfSSL_BIO_get_mem_ptr(WOLFSSL_BIO *bio, WOLFSSL_BUF_MEM **ptr) return SSL_SUCCESS; } -/*** TBD ***/ WOLFSSL_API long wolfSSL_BIO_int_ctrl(WOLFSSL_BIO *bp, int cmd, long larg, int iarg) { (void) bp; (void) cmd; (void) larg; (void) iarg; - WOLFSSL_ENTER("BIO_int_ctrl"); + WOLFSSL_STUB("BIO_int_ctrl"); return 0; } diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 3d041b00b..4765cca06 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -649,7 +649,7 @@ typedef STACK_OF(WOLFSSL_ASN1_OBJECT) GENERAL_NAMES; #define GENERAL_NAMES_free(GENERAL_NAMES)NULL #define SSL_set_mode(ssl,op) wolfSSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL) -#define BIO_wpending(b) wolfSSL_BIO_ctrl(b,BIO_CTRL_WPENDING,0,NULL) + #define SSL_CTX_use_certificate_ASN1 wolfSSL_CTX_use_certificate_ASN1 #define SSL_CTX_set0_chain(ctx,sk) \ wolfSSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN,0,(char *)(sk)) @@ -663,6 +663,7 @@ typedef STACK_OF(WOLFSSL_ASN1_OBJECT) GENERAL_NAMES; #define BIO_new_file wolfSSL_BIO_new_file #define BIO_ctrl wolfSSL_BIO_ctrl #define BIO_ctrl_pending wolfSSL_BIO_ctrl_pending +#define BIO_wpending wolfSSL_BIO_wpending #define BIO_get_mem_ptr wolfSSL_BIO_get_mem_ptr #define BIO_int_ctrl wolfSSL_BIO_int_ctrl #define BIO_reset wolfSSL_BIO_reset diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 450bde165..21e77df97 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2599,6 +2599,7 @@ WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509** x509); WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx); +WOLFSSL_API size_t wolfSSL_BIO_wpending(const WOLFSSL_BIO *bio); WOLFSSL_API size_t wolfSSL_BIO_ctrl_pending(WOLFSSL_BIO *b); WOLFSSL_API size_t wolfSSL_get_server_random(const WOLFSSL *ssl, unsigned char *out, size_t outlen); From 7b83db0f65e76ab8911209f3e13513c340cbc577 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 8 Aug 2018 12:34:33 -0700 Subject: [PATCH 3/6] Fix for PemToDer which was not properly handling extra new lines at end of file. --- src/ssl.c | 19 ++++++++++--------- wolfcrypt/src/asn.c | 10 ++-------- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 755cbcbc9..16bae5005 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4508,10 +4508,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, /* process user chain */ if (ret >= 0) { - /* First certificate in chain is loaded into ssl->buffers.certificate. - * Remainder are loaded into ssl->buffers.certChain. - * Chain should have server cert first, then intermediates, then root. - */ + /* Chain should have server cert first, then intermediates, then root. + * First certificate in chain is processed below after ProcessUserChain + * and is loaded into ssl->buffers.certificate. + * Remainder are processed using ProcessUserChain and are loaded into + * ssl->buffers.certChain. */ if (userChain) { ret = ProcessUserChain(ctx, buff, sz, format, type, ssl, used, info); } @@ -31477,9 +31478,9 @@ WOLFSSL_RSA* wolfSSL_d2i_RSAPrivateKey_bio(WOLFSSL_BIO *bio, WOLFSSL_RSA **out) DYNAMIC_TYPE_TMP_BUFFER); if (extraBioMem == NULL) { WOLFSSL_MSG("Malloc failure");; - XFREE((unsigned char*)extraBioMem, bio->heap, + XFREE((unsigned char*)extraBioMem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - XFREE((unsigned char*)bioMem, bio->heap, + XFREE((unsigned char*)bioMem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); return NULL; } @@ -31492,13 +31493,13 @@ WOLFSSL_RSA* wolfSSL_d2i_RSAPrivateKey_bio(WOLFSSL_BIO *bio, WOLFSSL_RSA **out) wolfSSL_BIO_write(bio, extraBioMem, extraBioMemSz); if (wolfSSL_BIO_pending(bio) <= 0) { WOLFSSL_MSG("Failed to write memory to bio"); - XFREE((unsigned char*)extraBioMem, bio->heap, + XFREE((unsigned char*)extraBioMem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - XFREE((unsigned char*)bioMem, bio->heap, + XFREE((unsigned char*)bioMem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); return NULL; } - XFREE((unsigned char*)extraBioMem, bio->heap, + XFREE((unsigned char*)extraBioMem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 45e5c98ee..27ceca70e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8096,15 +8096,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type, consumedEnd = footerEnd + XSTRLEN(footer); if (consumedEnd < bufferEnd) { /* handle no end of line on last line */ - /* eat end of line */ - if (consumedEnd[0] == '\n') + /* eat new line characters */ + while (consumedEnd < bufferEnd && consumedEnd[0] == '\n') { consumedEnd++; - else if ((consumedEnd + 1 < bufferEnd) && consumedEnd[1] == '\n') - consumedEnd += 2; - else { - if (info) - info->consumed = (long)(consumedEnd+2 - (char*)buff); - return BUFFER_E; } } From ff7d2fefdcbbd287b56d067f96d82a4d616cadb6 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 8 Aug 2018 17:08:28 -0700 Subject: [PATCH 4/6] Fix for DH max size calc not including DH_Pub. --- src/bio.c | 2 +- wolfssl/internal.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bio.c b/src/bio.c index dc067f599..514fd2bf4 100644 --- a/src/bio.c +++ b/src/bio.c @@ -306,7 +306,7 @@ static int wolfSSL_BIO_BIO_write(WOLFSSL_BIO* bio, const void* data, WOLFSSL_ENTER("wolfSSL_BIO_BIO_write"); - /*adding in sanity checks for static analysis tools */ + /* adding in sanity checks for static analysis tools */ if (bio == NULL || data == NULL) { return BAD_FUNC_ARG; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index a3a8af56f..d456220cc 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1158,7 +1158,7 @@ enum Misc { MAX_COMP_EXTRA = 1024, /* max compression extra */ MAX_MTU = WOLFSSL_MAX_MTU, /* max expected MTU */ MAX_UDP_SIZE = 8192 - 100, /* was MAX_MTU - 100 */ - MAX_DH_SZ = (MAX_DHKEY_SZ * 2) + 12, + MAX_DH_SZ = (MAX_DHKEY_SZ * 3) + 12, /* DH_P, DH_G and DH_Pub */ /* 4096 p, pub, g + 2 byte size for each */ MAX_STR_VERSION = 8, /* string rep of protocol version */ From 6ca56ee98cbd4cdcf5f3a610ee2d8bf6490f5dfa Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 9 Aug 2018 08:42:15 -0700 Subject: [PATCH 5/6] Fix to handle carriage return case in PEM end of line character handling (for Windows). Cleanup to consolidate duplicate end of line character handling code. --- wolfcrypt/src/asn.c | 37 +++++++++++++++---------------------- 1 file changed, 15 insertions(+), 22 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 27ceca70e..b340ee1dc 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -7556,6 +7556,15 @@ const char* const END_PUB_KEY = "-----END PUBLIC KEY-----"; #endif +static WC_INLINE char* SkipEndOfLineChars(char* line, const char* endOfLine) +{ + /* eat end of line characters */ + while (line < endOfLine && + (line[0] == '\r' || line[0] == '\n')) { + line++; + } + return line; +} int wc_PemGetHeaderFooter(int type, const char** header, const char** footer) { @@ -7794,11 +7803,8 @@ static int wc_EncryptedInfoParse(EncryptedInfo* info, else return BUFFER_E; - /* eat blank line */ - while (newline < bufferEnd && - (*newline == '\r' || *newline == '\n')) { - newline++; - } + /* eat end of line characters */ + newline = SkipEndOfLineChars(newline, bufferEnd); /* return new headerEnd */ if (pBuffer) @@ -8051,19 +8057,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type, headerEnd += XSTRLEN(header); - if ((headerEnd + 1) >= bufferEnd) - return BUFFER_E; - - /* eat end of line */ - if (headerEnd[0] == '\n') - headerEnd++; - else if (headerEnd[1] == '\n') - headerEnd += 2; - else { - if (info) - info->consumed = (long)(headerEnd+2 - (char*)buff); - return BUFFER_E; - } + /* eat end of line characters */ + headerEnd = SkipEndOfLineChars(headerEnd, bufferEnd); if (type == PRIVATEKEY_TYPE) { if (eccKey) { @@ -8096,10 +8091,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type, consumedEnd = footerEnd + XSTRLEN(footer); if (consumedEnd < bufferEnd) { /* handle no end of line on last line */ - /* eat new line characters */ - while (consumedEnd < bufferEnd && consumedEnd[0] == '\n') { - consumedEnd++; - } + /* eat end of line characters */ + consumedEnd = SkipEndOfLineChars(consumedEnd, bufferEnd); } if (info) From f23915baa15bdf155762d2ca869ad0b4df1aaf32 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 14 Aug 2018 12:44:31 -0600 Subject: [PATCH 6/6] Fix for BIO ssl case, which is not supported (for the Boost.Asio project this isn't required either). --- src/bio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bio.c b/src/bio.c index 514fd2bf4..a28fafd02 100644 --- a/src/bio.c +++ b/src/bio.c @@ -696,7 +696,8 @@ size_t wolfSSL_BIO_wpending(const WOLFSSL_BIO *bio) return 0; if (bio->ssl != NULL) { - return (long)wolfSSL_pending(bio->ssl); + /* not supported case */ + return 0; } if (bio->type == WOLFSSL_BIO_MEMORY) { @@ -710,7 +711,6 @@ size_t wolfSSL_BIO_wpending(const WOLFSSL_BIO *bio) } return 0; - } /* Return the number of pending bytes in read and write buffers */